Health Entities and Ransomware — HHS Adopts a “Blame the Victim” Strategy. Let’s See if It Works. – Security Boulevard
Clarinda Regional Health Center Reports Data Breach Affecting 24K Patients
Data breaches have been announced by Clarinda Regional Health Center in Iowa, Community Connections in DC, Waveny Lifecare Network in Connecticut, and NJ Pain Care Specialists in New Jersey.
Clarinda Regional Health Center
Clarinda Regional Health Center, a Clarinda, IA-based non-profit hospital, has started notifying 24,341 individuals about a recent cybersecurity incident that exposed sensitive data. Suspicious activity was identified within its computer network on December 15, 2026, and the forensic investigation determined that files containing patient data may have been accessed or acquired without authorization in October 2025. The LockBit5 ransomware group claimed responsibility for the incident.
The file review confirmed that the exposed data included first and last names, dates of birth, medical information, health insurance information, financial account numbers, Social Security numbers, driver’s license numbers, and taxpayer identification numbers. The types of data varied from individual to individual.
The review of the affected files was completed on May 21, 2026, and notification letters started to be mailed to the affected individuals on June 2, 2026. Individuals whose Social Security numbers were exposed in the incident have been offered complimentary credit monitoring and identity theft protection services. Clarinda Regional Health Center has confirmed that additional security measures have been implemented to reduce the risk of similar incidents in the future.
Community Connections
Community Connections, a Washington D.C.-based non-profit provider of behavioral health, residential, and primary health care coordination services, has notified the HHS’ Office for Civil Rights about a breach of the protected health information of 18,943 individuals.
The breach was reported to OCR on May 18, 2026. Details about the data breach have yet to be publicly disclosed; however, a ransomware group – Inc Ransom – claimed responsibility for the incident and listed Community Connections to its dark web data leak site in late March, although it does not appear to have leaked the stolen data.
A similarly sized data breach was experienced in 2024, affecting 18,943 individuals. According to the notifications issued on August 27, 2025. The incident was detected on October 21, 2024, and full names, addresses, dates of birth, Social Security numbers, financial information, driver’s license or state identification information, medical information, and health insurance information were potentially involved. Following that incident, multiple steps were taken to reduce the risk of similar incidents in the future, including implementing new technical safeguards and retraining members of its workforce.
Waveny Lifecare Network
Waveny Lifecare Network, a New Canaan, CT-based community-focused non-profit providing residential care, skilled nursing, and in-home care services to seniors, has recently reported a data security incident to the Maine Attorney General that has affected 8,548 individuals. Suspicious activity was identified within its computer systems on May 28, 2025. Third-party cybersecurity specialists were engaged to investigate the incident and confirmed that a limited amount of data was accessed by an unauthorized third party on May 28, 2025.
Waveny Lifecare Network conducted a time-consuming review of the affected data, and that process was completed on March 23, 2026. Up-to-date contact information was then obtained to allow notification letters to be mailed, which were sent on June 2, 2026. The notification letter to the Maine AG has the data types redacted, although they are detailed in the individual notification letters. As a precaution against data misuse, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.
NJ Pain Care Specialists
NJ Pain Care Specialists, LLC, an interventional spine and pain management practice in Ocean Township, New Jersey, has announced a data security incident. Unauthorized activity was identified within its computer network on or around February 28, 2026. The investigation confirmed unauthorized access to its network occurred between February 25, 2026, and February 28, 2026, during which time, files may have been removed from its network.
The investigation to date has determined that data compromised in the incident includes names, addresses, dates of birth, medical record numbers, driver’s license numbers or other ID numbers, clinical or treatment information, medical procedure information, medical provider names, prescription information, and health insurance information.
NJ Pain Care Specialists said it has reviewed and enhanced its data security policies and procedures, and its technical, administrative, and physical safeguards. The investigation is ongoing, and the number of individuals has yet to be determined. The breach has been reported to the HHS’ Office for Civil Rights using an interim total of at least 501 individuals. The total will be updated when the investigation is concluded.
The post Clarinda Regional Health Center Reports Data Breach Affecting 24K Patients appeared first on The HIPAA Journal.
HIPAA Training US Announces New HIPAA Training Certificate Wallet Card Coming June 2026 – openPR.com
HIPAA Training US Announces New HIPAA Training Certificate Wallet Card Coming June 2026 – StreetInsider
HIPAA Training US Announces New HIPAA Training Certificate Wallet Card Coming June 2026 – The Killeen Daily Herald
HIPAA Training US Announces New HIPAA Training Certificate Wallet Card Coming June 2026 The Killeen Daily Herald
Adonis Highlights Focus on Evolving HIPAA Cybersecurity Standards – TipRanks
$3.3M Settlement Resolves Data Breach Lawsuit Against Mt. Baker Imaging & Northwest Radiologists
Mt. Baker Imaging and Northwest Radiologists have agreed to pay $3,300,000 to settle a consolidated class action lawsuit stemming from a January 2025 ransomware attack and data breach affecting hundreds of thousands of patients.
Mt. Baker Imaging is a Washington-based medical imaging provider that uses Northwest Radiologists for interpreting medical images. In January 2025, a cyberattack was identified, and the forensic investigation determined that an unauthorized third party accessed its network between January 20, 2025, and January 25, 2025, and obtained files containing names, contact information, dates of birth, Social Security numbers, driver’s license or state identification card numbers, treatment or diagnosis information, and health insurance information. The data breach was reported to the Washington Attorney General as affecting 348,118 state residents, and the HHS’ Office for Civil Rights was informed that the protected health information of up to 362,713 individuals was compromised in the incident.
Multiple class action lawsuits were filed in response to the data breach, which were consolidated in a single complaint – In re: Mt. Baker Imaging, LLC, Data Security Litigation – in the Superior Court of the State of Washington for Whatcom County. The lawsuit alleged that the defendants failed to implement and maintain necessary data security safeguards, and asserted claims for negligence, breach of implied contract, invasion of privacy-intrusion upon seclusion, unjust enrichment, and violations of the Uniform Health Care Information Act, Washington Consumer Protection Act, Washington Data Breach Notification Disclosure Law, and Washington My Health My Data Act.
The defendants and the plaintiffs disagree about the legal claims made in the litigation; however, all parties agreed that a settlement was the best outcome, due to the benefits provided to the class members and the avoidance of the costs, risks, and uncertainty of continuing with the litigation. The defendants have agreed to establish a $3,300,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the nine class representatives. The remainder of the settlement fund will be used to pay benefits to approximately 340,184 class members.
All class members are entitled to claim a two-year membership to a medical identity theft protection and monitoring service, and may submit claims for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, and claim a pro rata cash payment. The pro rata cash payments will distribute the net amount of the settlement fund after costs, expenses, claims, and medical identity theft protection and monitoring costs have been paid.
The deadline for objection and exclusion is July 20, 2026, and claims must be submitted by August 19, 2026. The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for August 21, 2026.
The post $3.3M Settlement Resolves Data Breach Lawsuit Against Mt. Baker Imaging & Northwest Radiologists appeared first on The HIPAA Journal.